CCA Pilot Crib sheet


This sheet is intended only for people who already know what they are doing !

Assumes you are going to use inband NAT gateway
 
 
Prep
Make sure they have the right boxes, have tested them with the iso file to make sure it boots, and can run the the script with dummy values, and reboot, all without a kernel panic.
Make sure there is a design.  It included all IP addresses, dg, dns - no nat or acls in the way etc.
make sure they know what policy they want.
If they don't know - go for critical hotfixes per OS and any av, installed and up to date.
 
 
Physical stuff
make sure you know which ports are eth0 on each box (big timewaster if you get it wrong)
 
 
Script on both cam and cas
Make sure that the time is set accurately - date is in us format - DONT GET IT WRONG !!!!!
use ip address for the self signed cert host address
after script - edit /etc/hosts with names of cam and cas
 
if re-running the script it doesn't ask you to reboot but you must.
 
 
 
Manage  CAS in CAM
hold you breath and cross everything.
 
 
Set up DHCP server in server using auto-generate
 
 
Create roles
staff with all protocols permit all
student with some restrictions
 
create local users
users staff pw staff role staff
same for student
 
Create login page
User Pages under Administration - add new page keep defaults unless you want to make it pretty/different for certain OS etc
 
Require use of agent for staff role
Clean Access -> General Setup -> Agent login
choose staff - windows all and tick 'require use of agent'  (can do it for OSX if necc. too)
 
Download first set up updates to CAM from CCO
Make sure CAM has connectivety to CCO
Clean Access -> Updates -> Settings
set it to update every 2 hours from now
click clean update and check that it downloaded successfully
 
 
Set a policy for staff
keep it simple - just for windows xp (can do others later)
critical hotfixes
must have NAV installed
must have NAV up to date
 
Clean Access -> Clean Access Agent -> Requirements -> new requirement
Name it Requirement_for_XPhotfixes, choose Link distribution, keep it mandatory, url = www.windowsupdate.com (could be whatever e.g. you own page of instructions)
descritpion "your systems lacks critical updates, please click on the link to visit windows update", choose xp pro/home and add.
 
then choose requirement rules and select your rule from the drop down list.
tick pr_XP_Hotfixes and click update.
 
create a requirement called 'must_have_NAV_running', make it a link disti or file disti if you have access to a file
Description (check whether name or descripton comes on the screen) or 'you don't have NAV running, enable it or click here to download' sort of thing - again XP pro/home (some rules don't work for XP (all) )
 
in requirement rules pick pr_symantec_norton_application (looks for running program) 
 
create a requirement callled 'must have uptodate norton' and make it an av-definition update (different proceedure to other rule types) pick xp pro/home as the os and make the name and descripton make sense.
 
If you need to test for an av or as that there isn't a pr_ rule for, you need to create a rule before you create the requirement.
 
This isn't as scary as it sounds (honest)
 
To check for any any valid AV you need to create two rules
 
Rules -> new AV rule
do one for installation - tick the installation box (only choice) and 'add rule'
then do one for updates "Virus Definition".
 
(you could pick a single vendor if you wanted to and get cute with specific versions etc.)
 
make a link distribution requirement sending them to a web page of you choice if they have no AV. Create a requirement rule that pick up your any av rule.
 
make an av-definition requirement and create a requirement rule picking up your virus def rule.
 
I've just tested this and the any rule quite nicely spotted I had AVG, but it was out of date, and triggered it to run an update.